bug: go-git failed to checkout with tag and unstaged changes

[khareyash05]

Describe the bug

To set the context, we have a flux cd setup

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  name: api-server
  namespace: flux-system
spec:
  interval: 1m
  url: ssh://git@github.com/keploy/api-server
  ref:
    semver: ">=0.1.0"
---

Since flux uses go-git, we are facing issue of failed to checkout and determine revision: unable to checkout tag 'vX.X.X': worktree contains unstaged changes

We did a backtrack of where this issue is and found it in https://github.com/fluxcd/pkg/blob/ac1007b57e37838e73b8bc95365dab9a0e856e8e/git/gogit/clone.go#L382

We then isolated it and created our own program simulating the same, and were able to replicate the issue.It looks like that go-git is able to checkout the code but not able to go to that specific tag because it does a sort of soft reset ie. if we checkout 0.7.3 all the future commits to the branch move to the staging area and thus the former issue of unstaged changes

We want to create a Helm Chart citing the latest release , but since it fails at this step, we arent able to proceed further

Steps to reproduce

Configure FluxCD for your environment

Expected behavior

Cloning is done with working tree clean

Screenshots and recordings

No response

OS / Distro

Ubuntu

Flux version

Latest

Flux check

NA

Git provider

No response

Container Registry provider

No response

Additional context

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[khareyash05]

Also we did some diving into the code and found that if we use Force:true in https://github.com/fluxcd/pkg/blob/ac1007b57e37838e73b8bc95365dab9a0e856e8e/git/gogit/clone.go#L378C2-L380C4 , we were able to clone perfectly or if we put NoCheckout:true in https://github.com/fluxcd/pkg/blob/ac1007b57e37838e73b8bc95365dab9a0e856e8e/git/gogit/clone.go#L287C2-L298C3 , all work perfectly done, but not sure how we will do this using the flux config yaml

[khareyash05]

We did a kubectl describe gitrepository -n flux-system api-server and this is how it looks like

Name:         api-server
Namespace:    flux-system
Labels:       kustomize.toolkit.fluxcd.io/name=flux-system
              kustomize.toolkit.fluxcd.io/namespace=flux-system
Annotations:  <none>
API Version:  source.toolkit.fluxcd.io/v1beta2
Kind:         GitRepository
Metadata:
  Creation Timestamp:  2024-10-09T07:47:13Z
  Finalizers:
    finalizers.fluxcd.io
  Generation:        1
  Resource Version:  473625663
  UID:               a85c9410-3aaf-48e0-a796-e6017cc5843f
Spec:
  Git Implementation:  go-git
  Ignore:              # exclude all
/*
# include charts directory
!/deployment/

  Interval:  1m
  Ref:
    Semver:  >=0.1.0
Status:
  Conditions:
    Last Transition Time:  2024-10-09T14:06:20Z
    Message:               building artifact
    Observed Generation:   1
    Reason:                ProgressingWithRetry
    Status:                True
    Type:                  Reconciling
    Last Transition Time:  2024-10-09T14:06:20Z
    Message:               failed to checkout and determine revision: unable to checkout tag 'v0.7.3': worktree contains unstaged changes
    Observed Generation:   1
    Reason:                GitOperationFailed
    Status:                False
    Type:                  Ready
    Last Transition Time:  2024-10-09T10:49:40Z
    Message:               failed to checkout and determine revision: unable to checkout tag 'v0.7.3': worktree contains unstaged changes
    Observed Generation:   1
    Reason:                GitOperationFailed
    Status:                True
    Type:                  FetchFailed
  Observed Generation:     -1
Events:
  Type     Reason              Age                   From               Message
  ----     ------              ----                  ----               -------
  Warning  GitOperationFailed  13m (x27 over 6h13m)  source-controller  failed to checkout and determine revision: unable to checkout tag 'v0.7.3': worktree contains unstaged changes